[00:00.000 --> 00:04.580]  Hello everyone. Today I'm going to talk about Russian cyber threats in the pandemic era,
[00:04.580 --> 00:09.860]  how actually Russia has seized upon the global COVID-19 pandemic as an opportunity
[00:10.270 --> 00:16.020]  to launch its multi-faceted, multi-directional information warfare strategy against its
[00:16.020 --> 00:24.160]  prospective enemies, how they used their APT groups, criminal groups, to attack healthcare
[00:24.160 --> 00:34.140]  organization, research institutes, and hospitals in the United States and in European countries.
[00:34.140 --> 00:42.060]  So before I talk about the hacking and actual disruption, I would like to give you a kind of
[00:42.060 --> 00:50.420]  an overview how Russia sees information warfare strategy, which kind of agencies are in charge,
[00:50.420 --> 00:59.000]  and actually what is their doctrine of information warfare, how actually they're
[00:59.000 --> 01:07.260]  using APT groups and criminal syndicates to achieve their mission. Let me just give you
[01:07.380 --> 01:13.500]  a kind of an overview how Russian information warfare doctrine works. It is kind of an integrated
[01:13.500 --> 01:18.940]  system of system that works together. Everything is one under one umbrella, whether it is an
[01:18.940 --> 01:24.840]  intelligence, counterintelligence, masking something, attacking computer net enemies,
[01:24.840 --> 01:34.280]  computer networks, and software application. So now, kind of a few years ago, 2018,
[01:34.280 --> 01:40.000]  artificial intelligence elements was added to its information warfare doctrine. It actually
[01:40.000 --> 01:47.800]  contains two elements, using artificial intelligence technology in military field
[01:47.800 --> 01:56.220]  and in non-military field. For example, using AI technology to advance their military capabilities
[01:56.220 --> 02:03.040]  and using AI technology to advance their capability in the medical field, biotechnology
[02:03.040 --> 02:12.000]  field, manufacturing, and energy field. So they actually see artificial intelligence as an emerging
[02:12.000 --> 02:18.660]  tool to secure their strategic interests inside the country and outside the country. Some historical
[02:18.660 --> 02:24.540]  background, how actually information warfare doctrine was formed. Just I'm going to give you
[02:24.940 --> 02:30.140]  a short overview. The doctrinal and strategic thinking actually still is rooted in the teaching
[02:30.140 --> 02:38.000]  of the Russian, of the Marshal of the Soviet Union, Nikolai Ogarko, in what he referred to
[02:38.000 --> 02:44.240]  as the military technical revolution. A brief restatement of his thesis is that computers with
[02:44.240 --> 02:49.220]  accuracy and miniaturization were about to transform the modern battlefield, and that's Americans are
[02:49.220 --> 02:55.760]  ahead in this respect, and we really have to do something about it because we're falling behind.
[02:55.760 --> 03:02.140]  So another also event affected the formation of the Russian information warfare doctrine
[03:02.140 --> 03:07.740]  and its subset of cyber warfare. They declared the first and second Gulf War as a war on
[03:08.460 --> 03:15.200]  military technical revolution. But then fast forward, there was the Alsin's year, and in this
[03:15.200 --> 03:21.340]  year's theories actually developed theories rather than building machines, writing softwares,
[03:21.340 --> 03:27.660]  and running operations. And fast forward, there were a couple of other events, but a couple of
[03:27.660 --> 03:35.380]  years ago, Chief of the General Staff, current Chief of the General Staff, Valery Gerasimov,
[03:35.380 --> 03:42.140]  published an article in one of the military newspapers that actually was dubbed as the
[03:43.940 --> 03:48.960]  Gerasimov Doctrine in the Western press, but actually he's saying that in a matter of months,
[03:49.000 --> 03:57.340]  a perfectly thriving state can be turned into a web of chaos. So they see information warfare
[03:57.340 --> 04:03.160]  and its subset of cyber warfare to achieve their objective in a various direction, whether it's a
[04:03.160 --> 04:16.020]  political direction, or in the military direction, or in any other field. So let me just give you
[04:17.000 --> 04:27.860]  a couple of kind of example, which are major players in this respect, which organizations
[04:27.860 --> 04:36.960]  are having major, having upper hands actually, in information warfare, and in subset of cyber
[04:36.960 --> 04:45.740]  warfare. I'm going to give you a small historical overview about this. Actually in 2003,
[04:46.620 --> 04:53.540]  when since Putin came to power in a couple of years, he actually disbanded the FOPC, Federal
[04:53.540 --> 04:58.220]  Agency for Government Communication and Information. This agency was in charge of
[04:58.220 --> 05:03.900]  the military intelligence code cracking, cryptographic security, technical intelligence,
[05:03.900 --> 05:11.550]  counterintelligence. And once it was disbanded, so some of its functions went to those organizations,
[05:12.080 --> 05:18.880]  Federal Protective Service, FSO, Federal Security Service, FSB, MVDK, there is a Ministry of
[05:18.880 --> 05:23.840]  Internal Affairs of Russia, SVR, Foreign Intelligence, and GRU, Russian Military
[05:24.520 --> 05:29.540]  Intelligence. What is also very important here is that a large portion of the FOPC that was
[05:29.540 --> 05:35.420]  left after the organization was renamed the Special Communication and Information Services,
[05:35.420 --> 05:41.900]  was folded into the FSB. So all of those organizations have their part in information
[05:41.900 --> 05:46.720]  warfare doctrine. What is also very important here is that the leading role in this respect
[05:46.720 --> 05:54.640]  has a Russian military GRU, and the Russian Federal Security Service, FSB. So here is a kind
[05:54.640 --> 06:02.740]  of a, you know, structured Jerry's research, how actually Jerry's research institutes and units
[06:03.600 --> 06:10.960]  are participating in an information warfare, cyber warfare efforts. Let me just give you
[06:11.380 --> 06:18.900]  kind of an overview about those central research institutes and units.
[06:18.900 --> 06:25.400]  So Defense Ministry's 45th Center, Central Research Institute, it's a military unit
[06:25.400 --> 06:34.140]  54726. Those units actually are in charge of the fighting, finding intelligence about the
[06:34.140 --> 06:43.920]  military potentials of the foreign countries. Another unit here is the MOD Centers, Ministry
[06:43.920 --> 06:53.760]  of Defense Center for Special Studies. Those centers, they are hiring students from engineering
[06:53.760 --> 07:00.120]  schools, they are in charge of analyzing, exploiting, finding vulnerabilities in the
[07:00.120 --> 07:05.720]  computer system. By the way, what is also very important is Evgeny Serebryakov, who was actually
[07:06.700 --> 07:15.380]  was expelled from Netherlands in 2018. He, because he was trying to hack into the OPCW,
[07:15.380 --> 07:20.780]  OPCW is Organization for Prohibition of Chemical Weapons. It's a UN chemical
[07:20.780 --> 07:27.220]  watchdog organization. They were about to craft a report about the poisoning substance that was used
[07:27.940 --> 07:35.060]  against double agent Sergey Kripal and her daughter Yulia, as well as we were about to
[07:35.060 --> 07:43.680]  craft a report on the chemical substance that was used in Duomo, Syria.
[07:44.060 --> 07:50.660]  So we actually wanted to find out what this report was about before its release. Another also
[07:50.660 --> 07:58.760]  major player is MOD's Division, 12th B Division that is in charge of the cyber operation and
[07:58.760 --> 08:05.760]  psychological operation. Let me just talk a little bit about 18 Central Research Institute and its
[08:05.760 --> 08:15.700]  unit, 11135. Those folks are in charge of the signals intelligence. They are also in charge
[08:15.700 --> 08:22.360]  of development of wireless devices, SCADA system, or electromagnetic protection system.
[08:22.660 --> 08:30.500]  And what is also very important, that's 85 Central Research Institute, it's unit 26165,
[08:30.500 --> 08:39.120]  main center for special technology, and it's unit 7445. Those two units are the major,
[08:39.120 --> 08:46.440]  biggest repository of hacker talents. And those units together, all of them together,
[08:46.440 --> 08:51.460]  actually formed APT28. This is the most persistent threat group. There is also
[08:52.200 --> 09:00.800]  known as a fancy beer and has also other names. And they are using, of course, the hackers or
[09:00.800 --> 09:07.740]  forces for their hacking activities. I'm going to talk a little bit later about the GUNID
[09:07.740 --> 09:12.440]  and the Technopolis era, what kind of laboratories they have, including the
[09:12.440 --> 09:16.380]  biotech labs and what kind of projects actually they're implementing.
[09:17.600 --> 09:22.240]  So another also kind of the development that's happened in the Russian military
[09:22.240 --> 09:30.000]  is that in 2017, they officially announced about the formation of the military scientific units,
[09:30.000 --> 09:35.100]  also called information warfare troops. And what is also important, that's the
[09:35.100 --> 09:45.940]  Ministry of Defense of Russia officially made a statement about the formation of this unit.
[09:45.940 --> 09:53.740]  And he made openly or said that those units not only will be in charge of the securing command
[09:53.740 --> 09:59.660]  and control and communication of the Russian military, or building, developing software for
[09:59.660 --> 10:05.620]  the National Defense Control Center, there is the high supreme body that's responsible for
[10:05.620 --> 10:12.940]  Defense Ministry's supervision and management, but those guys also will be in charge of the
[10:12.940 --> 10:17.680]  psychological operation. That's once again, illustrates how actually Russia sees this
[10:17.680 --> 10:22.900]  information warfare doctrine, the concept of the security, a concept of the compartmentalization
[10:22.900 --> 10:28.840]  and the idea of the cyber as a separate domain, I mean, doesn't exist in the Russian concept.
[10:29.660 --> 10:34.880]  What is also very important, that's so new warriors of this military scientific units,
[10:34.880 --> 10:41.060]  about 1,000 personnel are incorporated those units. So they are the engineers,
[10:41.060 --> 10:46.920]  they are cryptographers, they are signalers, they are linguists, they are doctors, they are scientists.
[10:47.240 --> 10:55.380]  So let me just move a little bit and I'll just talk about the Technopolis era.
[10:55.380 --> 11:07.020]  Technopolis era was opened in 2018. And according to the official sources, they want to make it
[11:07.020 --> 11:15.540]  fully operational by the end of 2020. Era stands as a little Russian armies. And now they are
[11:15.540 --> 11:22.860]  planning actually, to move these military scientific units, the 12th of those units that
[11:22.860 --> 11:29.980]  was created in 2018 on the permanent basis at Technopolis era. It is also believed that
[11:29.980 --> 11:36.760]  those military scientific units are the arms of the GRU Russian military, Russian military
[11:36.760 --> 11:43.420]  intelligence. So eight major directions that they are working, information telecommunication,
[11:43.420 --> 11:48.840]  supercomputers, information in the cyber security, technical visions, energy technology,
[11:48.840 --> 11:52.580]  nanotechnologies, nanomaterials. But what is also very important, they're putting a lot of
[11:52.580 --> 12:00.700]  efforts, financial resources, and human resources into the field of bioengineering, biosynthetic,
[12:00.700 --> 12:08.040]  biosensor technologies. What is also one of the major mission of the Technopolis era is actually
[12:08.040 --> 12:14.220]  finding information about other countries, what other countries actually countries are doing
[12:14.220 --> 12:24.900]  in this respect in this field in this direction. So another, let me just talk a little bit about
[12:24.900 --> 12:36.400]  the kind of who is coordinating the Technopolis era, I mean, officially is coordinated by GUNID.
[12:36.400 --> 12:40.680]  This is the General Directorate for Research and Development and Technological Support of
[12:40.680 --> 12:45.940]  Advanced Technologies. They are cooperating with defense-related enterprises and over
[12:45.940 --> 12:52.400]  200 scientific organizations, universities, Russian Academy of Science have agreement with
[12:52.400 --> 12:57.900]  the Technopolis era. Some of those and many actually not some quite, you know, over 40,
[12:57.900 --> 13:06.000]  45 scientific organization and defense-related enterprises, they have permanent representation
[13:06.000 --> 13:12.520]  at the Technopolis era. Let me just talk about a little bit about the labs. They have 18 labs
[13:12.520 --> 13:20.460]  there and they're working actually about, and I'm going to talk about the projects in tech,
[13:20.460 --> 13:28.160]  in terms of the field of biotech. They are working in a 3D bioprinting,
[13:29.040 --> 13:35.120]  lab-growing leading tissues and bone tissues. They are working on the machine learning
[13:35.120 --> 13:42.460]  technologies in their healthcare for the diagnosing and treatment of illness.
[13:42.540 --> 13:48.820]  Telesurgeries, working on the medical robotics and multimedia image communication
[13:48.820 --> 13:55.680]  in silico clinical trials and drug testing is one of their major direction using
[13:56.540 --> 14:00.820]  computer models and simulation to develop and assess drugs and
[14:02.160 --> 14:09.120]  devices. What is also very important that they are putting a lot of effort on the portable
[14:09.120 --> 14:17.420]  biological reconnaissance device. This is, they're working a lot of efforts about biosensor device
[14:17.420 --> 14:25.800]  designed to detect pathogens of dangerous infections, diseases, and viruses. And one
[14:25.800 --> 14:30.560]  of the major direction of the Technopolis era is the biological intelligence. They are developing
[14:30.560 --> 14:43.720]  devices, biosensor devices, and they are also putting a lot of efforts about biological
[14:43.720 --> 14:51.100]  intelligence. Actually, they are concerned about the research activities conducted by foreign
[14:51.100 --> 14:58.960]  research institutions because they kind of feel that a problem needs on appropriate reconnaissance
[14:59.600 --> 15:06.480]  in this respect, according to the statement of various government officials in Russia.
[15:06.540 --> 15:12.820]  So, the kind of, you know, the hallmark stealing the intellectual properties
[15:14.380 --> 15:24.660]  from, that was the signature of the Chinese APD groups, now we'll see that's what this will be
[15:24.660 --> 15:30.860]  incorporated by the Russian APD groups. And we see already some science, actually,
[15:30.860 --> 15:36.760]  in this respect. So, kind of interesting information. It's kind of a breaking news.
[15:36.760 --> 15:43.760]  Just recently, a few days ago, the Russian Ministry of Defense actually made a statement,
[15:43.760 --> 15:48.480]  where it's also, you know, very important to underline here is that together with the Gamaley
[15:48.480 --> 15:54.540]  Scientific Research Institute of Epidemiology and Microbiology, they said that they successfully
[15:54.540 --> 16:04.380]  completed the trial of the COVID-19 vaccine. And, by the way, the First Minister of the...
[16:05.300 --> 16:12.300]  Deputy Minister of the Defense made a statement about this, that vaccine is actually ready and
[16:12.300 --> 16:20.360]  ready for distribution. Interesting information. Let me just talk a little bit about the
[16:21.440 --> 16:29.700]  about the FSB's role in this respect in the field of the information warfare and its subset of the
[16:29.700 --> 16:34.580]  cyber warfare. There are a lot of scientific and technical centers here in the units, but I'm
[16:34.580 --> 16:39.920]  going to, you know, talk about two major units that are in charge of the cyber operation. So,
[16:39.920 --> 16:53.500]  one is the unit of 7-1-1-3-3-0 and 7-6-4-8-2-9. They are under 2nd Directorate and 16th Directorate.
[16:53.580 --> 17:03.780]  So, those two centers are in charge, these units are in charge of the cyber. They are,
[17:03.780 --> 17:08.280]  they have a very high cyber intelligence capabilities, and they're in charge of
[17:08.280 --> 17:15.320]  offensive information operation outside of Russia. So, and inside of Russia. So, unit
[17:17.760 --> 17:25.500]  of 18th Information Center, also in charge of the SORM system. Let me just give you kind of a
[17:25.500 --> 17:31.160]  overview about the SORM system. SORM is a System of Operating Investigative Measures,
[17:31.160 --> 17:37.240]  the kind of a surveillance system that's now all the ISPs are required legally to install the
[17:37.240 --> 17:43.440]  system. This is a very sophisticated system that captures all the digital and mobile communication
[17:43.440 --> 17:53.060]  and captures online communication, full recording of conversation, and as well as the content of
[17:53.060 --> 17:59.700]  email, text, and the communication. So, for online communication, for example, it taps to
[17:59.700 --> 18:07.340]  the network of the internet service providers through a rerouting devices called black boxes
[18:07.340 --> 18:14.180]  and high-speed communication lines. And by the way, it has a real-time monitoring capabilities.
[18:14.620 --> 18:21.060]  So, here is a couple of examples of what kind of the projects they are implementing,
[18:21.060 --> 18:25.460]  on which I'm going to talk on my next slides. They're also actually in charge of the hacker
[18:25.460 --> 18:32.700]  resolve forces. Imagine having resolve forces that you don't pay anything, you don't train,
[18:32.700 --> 18:39.840]  they train themselves, they pay themselves, and they do business for the intelligence services
[18:40.330 --> 18:50.440]  in Russia. And of course, they form IPD-29 group, also hacking group, nation-sponsored group.
[18:50.440 --> 18:57.520]  There is... has also different names, Kozytuk and Miniduk, et cetera, et cetera.
[18:57.520 --> 19:07.940]  Let me just talk about this project that's the Siloviki, the people of power,
[19:07.940 --> 19:15.840]  Russian intelligence services that are in charge. For example, the contracting organizations
[19:16.740 --> 19:23.800]  that were outsourced by the security services in Russia, were hacked a couple of years ago,
[19:23.800 --> 19:29.980]  and the last year as well. And all those projects, actually, they revealed on the net.
[19:30.180 --> 19:37.520]  One is an Otillus project that was about to collect information on social media about users.
[19:37.520 --> 19:43.300]  Another is an Otillus S, that was about the de-anonymizing toward traffic using rogue
[19:43.300 --> 19:50.300]  servers. By the way, a couple of years ago, I mean, one or two years ago, 25 of those kind
[19:50.300 --> 19:56.700]  of rogue servers was identified, and 18 of which actually were located in Russia.
[19:57.460 --> 20:04.060]  They are also using the so-called scientific institute think tanks for their project.
[20:04.060 --> 20:15.500]  One of the think tank, a pretty well-known think tank in Russia is called Quantis FSB
[20:15.500 --> 20:21.680]  think tank, and they also were in charge of developing software to detect protest mode
[20:21.680 --> 20:29.500]  among the population. Just a year ago, there was another leak that they were, that was
[20:29.500 --> 20:39.580]  hackers exposed, that's FSB IoT botnet project called Fronton. And so, leak document actually
[20:39.580 --> 20:49.720]  showed that the procurement order actually was placed by the FSB unit 64829. So,
[20:51.360 --> 20:58.940]  and let me just give you kind of a quick overview about the growing complexity of outsourcing and
[20:58.940 --> 21:08.380]  why Russia used very sophisticated outsourcing strategy. Because it's confound attribution,
[21:08.380 --> 21:15.780]  and it's also very cost effective for them. And so, let me just see, give you the whole
[21:15.780 --> 21:25.360]  scenario how it works. The idea actually comes from the government. And so, then the government
[21:25.360 --> 21:31.060]  actually is in charge from the beginning of the whole commanding control process. Then the project
[21:31.060 --> 21:38.780]  manager is assigned, and project management does the compartmentalization process. So, tasks are
[21:38.780 --> 21:48.480]  broken into pieces. And so, then people in the middle, they are also outsourcing hackers from
[21:48.480 --> 21:56.420]  other countries, and subcontracting those hackers from, you know, Ukraine, from the United States,
[21:56.420 --> 22:03.720]  from China, and from other countries. So, people here, third parties, they actually don't know
[22:03.720 --> 22:11.580]  from there the original order actually comes. Then money changes hands, and this is how the
[22:11.580 --> 22:17.140]  whole operation does. So, if you want to just find out who is behind this or that project,
[22:17.140 --> 22:24.600]  it's very, very hard to just solve the attribution problem actually in this respect.
[22:25.560 --> 22:34.680]  So, what we saw during this pandemic time, the Kremlin information warfare was used with full
[22:34.680 --> 22:41.180]  its capacity. They use the cyber elements, they use their disinformation elements, and
[22:42.320 --> 22:51.320]  they use all the components of the information warfare. So, they spread the malicious content,
[22:51.320 --> 22:58.240]  malicious information, they used the conventional media outlets, they used their scientists,
[22:58.240 --> 23:04.960]  they used trolls, they used the channels, non-conventional channels, for example, to
[23:04.960 --> 23:13.020]  spread this information, not only in English and in Russian, but in various languages.
[23:13.760 --> 23:20.440]  And by the way, when I just did research about this, the views and shares of those information,
[23:20.440 --> 23:27.660]  it was into hundreds of thousands and into millions. But it's nothing new. So, this kind
[23:27.660 --> 23:34.720]  of spreading false narratives, I mean, it's all tactics, this Russian military, and not only
[23:34.720 --> 23:40.620]  Russian military, FSB and general intelligence organizations were using in the past. For
[23:40.620 --> 23:50.700]  example, in the 1950s, the Soviet military intelligence created this rogue fake reports
[23:50.700 --> 23:56.800]  that the US used biological weapons in Korea, supposedly dropping bombs filled with insects and
[23:56.800 --> 24:05.540]  rats infected with cholera and plague. As well as, for example, in the later 1980s,
[24:05.540 --> 24:09.860]  Soviet spies spread false narratives that AIDS epidemic started from an experiment
[24:10.330 --> 24:17.140]  at a secret military biological lab in the US. They're also spreading the false narratives about
[24:18.420 --> 24:27.640]  scientific institutions and labs in other countries. Supposedly, they are creating
[24:28.180 --> 24:37.840]  biological weapons or something like this. So, in March and April, there was a couple of
[24:37.840 --> 24:45.820]  reports published in this respect, how Russians were using APT groups, cyber criminal syndicates
[24:45.820 --> 24:57.080]  to hack into the research facilities, hospitals, and what kind of strategies,
[24:57.080 --> 25:04.560]  methodologies and TTPs were they're using. Now, just recently was published UK's National
[25:04.560 --> 25:11.280]  Cyber Security Advisory Stats. They openly said that APT29 group that is associated with
[25:12.000 --> 25:23.680]  FSB, Russian Federal Security Service, that APT29 is attempting to steal information on
[25:23.680 --> 25:29.160]  coronavirus research, targeting pharmaceutical companies, healthcare, academic research
[25:30.080 --> 25:38.500]  centers. So, all aspects, actually, of information warfare elements was used. As I mentioned,
[25:38.500 --> 25:44.550]  they used the conventional media, anonymous outlets, the cyber components, they tried to...
[25:45.520 --> 25:51.600]  they created a fake coronavirus tracking web, fake coronavirus application,
[25:51.600 --> 25:57.800]  ransomware targeting the healthcare system, on which I'm going to talk in detail in my
[25:59.860 --> 26:06.980]  next slides, targeting the VPN system, remote working tools and softwares.
[26:07.530 --> 26:16.240]  So, here is actually a couple of examples. Now, what kind of fake bogus emails they are crafting,
[26:16.240 --> 26:22.690]  mimicking, that's the legit organizations such as the World Health Organization, CDC,
[26:23.340 --> 26:30.660]  and other government agencies, and the government agencies as well. For example,
[26:30.660 --> 26:36.180]  cyber criminals in UK also use the SMS phishing strategy. Here is a screen.
[26:37.960 --> 26:44.780]  They're sending to the UK resident that UK government has issued a payment of over 400
[26:44.780 --> 26:51.480]  pounds to a resident, and you have to just click to this link. And once you click to this link,
[26:51.480 --> 26:57.300]  it actually asks you the national registration number, as well as other information,
[26:57.300 --> 27:04.220]  banking information. The fake Android application also was created, was removed from the Google
[27:04.220 --> 27:09.820]  Play. So, what actually, I'm going to talk about the fake life map that resembles Johns Hopkins
[27:10.720 --> 27:18.640]  University tracking coronavirus infographic map. I'm going to talk about this in more detail
[27:18.640 --> 27:26.800]  in my next slides. So, what we also saw during this period, that's over the 1.2 million newly
[27:26.800 --> 27:37.200]  registered domains were created, and over 85,000 domains were classified as risky or malicious.
[27:37.200 --> 27:48.040]  Okay, here is the one of the criminal group called Sarin RPB, as well as Ravel. This group
[27:48.540 --> 28:00.840]  has a very heavy presence on XSS forum. This group launches, actually,
[28:02.900 --> 28:11.800]  competition for developing exploits for zero days, writing crypto algorithms, and other kind
[28:11.800 --> 28:16.580]  of a task that they post on this website, and they pay money. For example, the one of the competition
[28:16.580 --> 28:26.980]  was about $15,000. This, what is also very important, that they are also in,
[28:26.980 --> 28:33.320]  someone in February, we're already discussing the methods to deliver malware, where an email
[28:33.320 --> 28:41.400]  attachment then later was embedded into the COVID-19 Johns Hopkins infographic map. They
[28:41.400 --> 28:51.200]  also were selling the variants of malwares that later was embedded into the fake map.
[28:51.200 --> 28:57.880]  And for example, if you just opened it, it downloaded malicious code into your system.
[28:57.880 --> 29:03.040]  It collected information from the infected computer and send this information to the
[29:05.440 --> 29:13.140]  command and control server. By the way, this group is a human-operated ransomware group.
[29:13.140 --> 29:19.400]  What actually does it mean? The attack doesn't happen in an automated fashion, but instead,
[29:19.400 --> 29:24.180]  they are compromising internet-facing devices in order to establish presence in a vulnerable
[29:24.180 --> 29:30.600]  system, and later then execute attacks, steal information, and encrypt information on the
[29:31.160 --> 29:38.020]  victim's data. They were exploiting vulnerabilities in remote desktop protocols,
[29:38.020 --> 29:46.140]  vulnerabilities in the operating soundpatch operating system, misconfigured servers,
[29:46.140 --> 29:52.580]  as well as the electronic health record software. What is also important is for their operation,
[29:52.580 --> 29:57.660]  they use the Mimikatz. Mimikatz is a leading exploitation tool that actually dumps the
[29:57.660 --> 30:03.620]  passports from memory. This organization, this criminal organization actually also
[30:03.620 --> 30:08.160]  attacks one of the biotech companies that is based in California.
[30:09.340 --> 30:15.160]  What is also very important here is that they are not only interested in stealing
[30:15.160 --> 30:21.300]  intellectual properties from the biotech companies in the United States or in European countries,
[30:21.300 --> 30:28.100]  but also they were trying to gain some financial... they are launching cyberattacks for this
[30:28.100 --> 30:34.940]  financial gain, pure financial gains. For example, they attacked a New York law firm,
[30:34.940 --> 30:43.720]  and this is one of the prominent, very well-known law firm that has a very high level clientele,
[30:43.720 --> 30:52.320]  and asked for a ransom. So, I already said that Russian
[30:54.620 --> 31:00.440]  DeepWebForum, DocWebForum, HackerForum were very busy during this time period. A lot of
[31:00.440 --> 31:09.740]  discussions were going on on those forums, even selling the variants of malwares, discussing the
[31:09.740 --> 31:18.560]  methodologies about how to embed malicious code into the email, and some other... and the COVID-19
[31:19.170 --> 31:28.960]  issue was very highly discussed, and all of these TTPs and methodologies on those forums. As I
[31:28.960 --> 31:35.640]  mentioned, that's already in one of those forums, we were offering malware for sale that later was
[31:35.640 --> 31:48.020]  inserted into email attachment, resembling the fake COVID-19 map. So, those DarkWebForum are
[31:51.900 --> 31:59.180]  also... there are a lot of other, you know, DarkForum and HackerForum, actually, that are
[31:59.180 --> 32:03.360]  on the Ru domains and the Su domains. If you don't know what is a Su domain, it's an old Soviet Union
[32:03.360 --> 32:12.540]  domain, it actually has over 120,000 registered domains there. So, yeah, a lot of interesting
[32:14.860 --> 32:22.800]  information could have been... you could... one can gather from those forums, and it gives you
[32:22.800 --> 32:28.500]  kind of a good understanding of what they are up to, what they are planning, what kind of strategies
[32:28.500 --> 32:30.660]  they are discussing
[32:33.220 --> 32:35.340]  for future attacks.
[32:36.740 --> 32:42.880]  So, another also group that was very active during this period was a HADES group.
[32:42.880 --> 32:47.540]  This group is associated with the Russian military...
[32:50.260 --> 32:57.780]  Russian military GRU with APT28 group, also called Defense CBSN, or Voodoo Beer Telebot,
[32:57.780 --> 33:02.900]  and it has also some other names as well. So, those... they were using the phishing email
[33:03.980 --> 33:08.160]  campaign, mimicking World Health Organization and the
[33:09.400 --> 33:15.960]  Ministry of Health of Ukraine. They were sending... here is a, you know, example what kind of
[33:17.760 --> 33:23.460]  emails they were sending to the organizations
[33:24.020 --> 33:30.780]  in Ukraine, and not only in Ukraine, where most of this group was active in European countries,
[33:30.780 --> 33:36.920]  in particular, heavily active in Ukraine. And once you, you know, open this file, it's
[33:36.920 --> 33:42.340]  downloaded malicious macro code to perform the remote control.
[33:43.260 --> 33:50.920]  Another also group that was very active during this time was a Gamma Radon. This is the FSB group.
[33:52.000 --> 34:03.230]  This... they also targeted the organization, you know, they targeted scientific research centers,
[34:03.580 --> 34:11.120]  hospitals, all over the Western countries. This group is associated with FSB 16th and
[34:11.120 --> 34:18.660]  18th Centers as the under second and 16th Directorate of FSB, active since 2013,
[34:18.660 --> 34:28.140]  attacking Ukraine since 2014. So once you actually open the document, it started a
[34:28.140 --> 34:34.440]  template injection technique, so for the... for loading the document templates from the internet.
[34:34.440 --> 34:39.600]  And once the document was downloaded, it executed that malicious macro code,
[34:39.600 --> 34:47.980]  code which executed the VBS... VBS scripts. So here is actually
[34:48.660 --> 34:56.400]  a... IP addresses are from the Russian hosting companies. Those IP addresses that's... this group
[34:56.400 --> 35:04.620]  is used for network destination or template injection and network destination for VBS script.
[35:05.920 --> 35:13.140]  So another also organization that was a cyber criminal group that was very active during this
[35:13.140 --> 35:19.680]  time, but that was group Russian ransomware group called MACE. This group used a variety
[35:19.680 --> 35:27.440]  of techniques by exploiting known vulnerabilities that was not... haven't been patched, remote
[35:27.930 --> 35:34.360]  desktop connection with a weak password. They used malicious emails or the links.
[35:34.800 --> 35:37.980]  They attacked not only the
[35:40.500 --> 35:47.960]  research institutes, scientific centers, but as well as they also attacked, for example,
[35:47.960 --> 35:56.820]  IT service providers company that does provide this kind of services for the healthcare industries
[35:56.820 --> 36:02.480]  and manufacturing. And in March, they attacked the Hammersmith
[36:04.240 --> 36:12.120]  Medicines Research Center in UK. So this center was before involved with an Ebola solution and
[36:12.120 --> 36:20.000]  working with COVID-19 vaccine. So what is also very important about this ransomware group that
[36:20.000 --> 36:29.980]  this group is as not kind of typical data encrypting ransomware. So it doesn't infect
[36:29.980 --> 36:39.040]  and encrypt computers in every computer that is in its path, but also it is extracting
[36:39.040 --> 36:48.260]  information and data to the attacker servers. So let me just talk a little bit about the
[36:48.260 --> 36:56.440]  RealWeek. This is another Russian hacking group. This hacking group also attacked hospitals
[36:56.440 --> 37:03.920]  and in Europe and the United States, for example, they attacked the second largest hospital in
[37:03.920 --> 37:11.160]  Czech Republic in Brno. They, before the pandemic, they actually attacked the hospitals in Alabama
[37:11.160 --> 37:21.700]  and they asked for the big ransom to decrypt them and unlock medical data. This ransomware is
[37:21.700 --> 37:34.920]  typically, you know, they actually already get into the compromise system. For example,
[37:35.380 --> 37:39.220]  they used, in this respect, the Immortal and TrickBot. The Immortal is a model that
[37:39.220 --> 37:45.720]  originally actually was created for the banking trojan designed to steal information. And once
[37:45.720 --> 37:55.020]  the system was infected, then their payload was dropped into the system and executed. And
[37:55.020 --> 38:01.860]  it's actually an encryption process actually started and they were asking the ransom
[38:02.600 --> 38:09.520]  for, to decrypt the data back. So for attack factors, they are trying to find vulnerabilities
[38:09.520 --> 38:15.940]  into the system, remote desktop protocol and poorly secured RDP ports. They use the phishing
[38:15.940 --> 38:22.800]  email, sending a malicious bugless email to trick legit organizations to download these emails
[38:22.800 --> 38:34.900]  in open and download documents from this organization, tricking actually
[38:34.900 --> 38:46.400]  legitimate organizations. So this is actually what I wanted to talk, how actually Russians use
[38:46.400 --> 38:52.360]  their information warfare strategy. It's elements of cyber warfare during this pandemic
[38:52.360 --> 38:56.680]  time. Of course, I just would like to talk to you a little bit about the mitigation strategy. And we
[38:56.680 --> 39:05.220]  also talk a lot of countermeasures, our community, how actually what kind of steps should be taken
[39:05.220 --> 39:10.740]  in order to secure system, to diminish risk, to decrease risk in this respect. Of course,
[39:10.740 --> 39:16.500]  important factor is that to assess the supply chain. That's a supply chain contamination is
[39:16.560 --> 39:25.600]  a big problem in this respect. Unpatched system was exploited by those hackers. Of course, it's
[39:26.440 --> 39:32.620]  very important having them to implement a multi-factor authentication methods,
[39:32.620 --> 39:37.960]  as well as train the staff in this respect. But what is also very important here, and in most
[39:37.960 --> 39:45.080]  cases, nobody talks about putting the threat intelligence into the mitigation strategy.
[39:45.080 --> 39:51.100]  For example, before the pandemic, all of those Russian forums were discussed,
[39:51.100 --> 39:56.500]  all of those methodologies and selling the malwares on those forums. I think that's
[39:56.500 --> 40:04.080]  observing what's going on, on a dark web, deep web, Russian hacking forums. It must be
[40:04.080 --> 40:07.960]  included in a mitigation strategy, because it gives you a pretty good understanding what we
[40:07.960 --> 40:15.800]  are up to and what we are planning in the future. So, thank you very much. I hope you'll find this
[40:16.880 --> 40:24.160]  presentation very interesting, and I'm looking forward to a Q&A section. Thank you.
